DOWNLOAD.JECT - THE WORM THAT DIDN'T HAVE TO BE
A new variant on the Download.Ject worm has appeared on the Internet,
threatening users who have not yet installed Microsoft patch MS04-25.
The worm spreads through instant-messaging systems, such as AIM,
luring users to a Web site that delivers the infection.
http://www.net-security.org/news.php?id=5885

Wawa,
Yes AVG 6.0 worked perfectly. But I'm still ticked off that I picked up this Trojan from who knows where. Somehow or other it got past my Sygate.
It's nice to be able to get rid of it, but better to keep it out in the first place. From what little I have read, this one likes to keep coming back.Any ideas?
Also, a little investigation indicates Downloader is a fairly common Trojan. Downloader.Funweb.B is simply the very latest variant.
If I knew exactly how it was sneaking in, I might be better able to block it._________________Jeff007

It may have a hidden .dll file (or other source) if you are repeatedly infected.

May I suggest that you post a hijackthis log into the SpywareRemoval forum?. Tagline it 3162-whatever. I'll find it. Or you can PM me after you post the log, to alert me that it is there._________________Proud member of the Chest Zipper Club!

As of August 31, 2004, 2:50 PM (GMT -07:00, Daylight Savings Time) PST,
TrendLabs has declared a Medium Risk Virus Alert to control the spread of
WORM_BAGLE.AI. TrendLabs has received several infection reports indicating that
this malware is spreading in Brazil, US, and Canada.

This mass-mailing worm is executed by HTML_BAGLE.AI, and is packaged as a .ZIP
compressed file. Upon execution, it drops a copy of itself as DORIOT.EXE in the
Windows system folder. It creates registry entries to ensure its automatic
execution at every Windows startup.

This worm attempts to download and execute its malware components from certain
URLs. It also kills certain processes that are mostly related to antivirus
programs.

Like Bagle.AQ infected messages of two weeks ago, a flood of infected e-mails started hitting users' mailboxes Tuesday bearing the subject line "foto", and an unencrypted zip file "foto.zip". However, it doesn't seem to be able to get much farther than the initial spam.

The zip file contains an HTML file that when executed drops downloader component on the victim's machine, which attempts to connect to one of many web sites to download the worm portion The new virus, first identified by Trend Micro Inc. as Worm_Bagle.AI appeared to have been seeded, or spammed to many users, but due to problems with the web sites that carry the propagation code, it hasn't spread further.

Madrid, September 3 2004 - This week's report on viruses and intruders looks
at four threats: Bagle.AY, Bagle.AW, Bagle.AV and CodeBase.gen.

The AY, AW and AV variants of Bagle have been sent on a massive scale, via
email, in a message with the subject: 'foto' and included in a zip file
called either FOTO.ZIP or FOTO1.ZIP. This file contains an HTML file, along
with a hidden EXE. When users open the HTML file, the EXE file is also
executed.

Bagle.AY, Bagle.AW and Bagle.AV carry out a series of actions on the
computers they infect including:

- Terminating processes if they are active in memory. The processes they
terminate include those related to antivirus programs, preventing these
applications from protecting against new viruses.

- They try to download a false JPG file from various websites, which is
actually an executable (EXE) file. Once it is downloaded, these three
variants of Bagle begin to spread.

CodeBase.gen on the other hand is a code included in the body of an email
message or web page with the aim of exploiting the following security
problems:

- Browser Cache Script Execution in My Computer Zone and Object Tag,
detected in version 4.0 or later of Internet Explorer, and which also
affects applications that use this browser (such as Outlook and Outlook
Express). Both security problems could allow an attacker to run arbitrary
code without permission when the user visits a malicious web page or opens a
specially crafted HTML mail.

- Critical vulnerability in versions 5.04 and earlier of the Winamp
multimedia player, which allows code to be run when a skin file is
installed.

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.